Would love to get a response to this. We are required to be HIPAA compliant and started out on Heroku. We basically only had a prototype built and didn't have any clients yet, so we didn't really care. After a weeks of paying for Heroku we got a very standard sales call from Heroku. They were checking-in/trying to up-sell us on some stuff.
They asked us what we needed, and I responded with, "We need to be HIPAA compliant - what do we need to do to make that happen on Heroku?"
The sales rep immediately replied along the lines, "We don't do that."
He ended the call shortly after that, clearly uninterested in our money.
Since then, we started using Aptible (https://www.aptible.com)and they are AWESOME. The biggest difference for us is that they also provide the legal documentation and advice to working through HIPAA compliance. They're totally willing to go beyond just being a PaaS and really start to blend into a moderate level of legal counsel. Only downside is that their premium service entails a premium price.
HIPAA compliance is 99% paperwork, policies, and procedures. There are technical safeguards, but they're things you'd be irresponsible not to do anyway: have individual user accounts, encrypt things, lock workstations after periods of inactivity, have reasonable password policies, etc. And it's pretty dated - as far as I know 2FA isn't even mentioned. It also doesn't include things you'd think it might: no medical practice is actually using PGP. Microsoft Exchange as far as they eye can see. Maybe, if you're lucky, a central gateway so that outgoing emails show up as a link to a web portal where you can log in and view the message.
Most of HIPPA compliance (from an IT perspective) is having a comprehensive security policy and documenting that you're doing certain activities with the appropriate frequency: risk analysis, security audits, auditing user accounts and privileges, security training for users, etc.
I think the biggest barrier to getting HIPPA compliance on more infrastructure providers is that infrastructure providers are engineering organizations, and HIPAA is mostly a CYA activity for lawyers (plus some easy, obvious OPSEC).
Aptible CEO here - thanks for the Aptible love! I imagine Heroku will offer a BAA at some point for this product, but you're right that the hybrid compliance/technical services will remain the most valuable part of platform services like these, at least for regulated industries.
I talked to them out at AWS re:invent in November and it was implied but not confirmed that HIPAA compliance was being worked on. Maybe things have changed since then.
There are many things in AWS that are not HIPAA-compliance yet, so I am not sure how Herkou (if that's the one you are referring to) can be HIPAA compliance in everything.
They asked us what we needed, and I responded with, "We need to be HIPAA compliant - what do we need to do to make that happen on Heroku?"
The sales rep immediately replied along the lines, "We don't do that."
He ended the call shortly after that, clearly uninterested in our money.
Since then, we started using Aptible (https://www.aptible.com)and they are AWESOME. The biggest difference for us is that they also provide the legal documentation and advice to working through HIPAA compliance. They're totally willing to go beyond just being a PaaS and really start to blend into a moderate level of legal counsel. Only downside is that their premium service entails a premium price.